Appendices
Appendix A: Handling of Classified Information
Purpose and Scope
This data classification policy defines the requirements to ensure that information within the organization ("Shuffl") is protected at an appropriate level. This document applies to the entire scope of Shuffl’s information security program. It includes all types of information, regardless of its form, such as paper or electronic documents, applications and databases, and knowledge or information that is not written. This policy applies to all individuals and systems that have access to information kept by Shuffl.
Background
This policy defines the high level objectives and implementation instructions for the Shuffl’s data classification scheme. This includes data classification levels, as well as procedures for the classification, labeling and handling of data within Shuffl.
References
Policy
If classified information is received from outside the organization, the person who receives the information must classify it in accordance with the rules prescribed in this policy. The person thereby will become the owner of the information.
If classified information is received from outside the organization and handled as part of business operations activities (e.g., customer data on provided cloud services), the information classification, as well as the owner of such information, must be made in accordance with the specifications of the respective customer service agreement and other legal requirements.
When classifying information, the level of confidentiality is determined by:
The value of the information, based on impacts identified during the risk assessment process. More information on risk assessments is defined in the Risk Assessment Policy (Reference 1).
Sensitivity and criticality of the information, based on the highest risk calculated for each information item during the risk assessment.
Legal, regulatory and contractual obligations.
Table 1: Information Confidentiality Levels
Confidentiality Level | Label Classification | Criteria | Access Restrictions |
Public | For Public | Making the | Information is |
Internal Use | Internal Use | Unauthorized access | Information is |
Restricted | Restricted | Unauthorized access | Information is |
Confidential | Confidential | Unauthorized access | Information is |
Information must be classified based on confidentiality levels as defined in Table 1.
Information and information system owners should try to use the lowest confidentiality level that ensures an adequate level of protection, thereby avoiding unnecessary production costs.
Information classified as “Restricted” or “Confidential” must be accompanied by a list of authorized persons in which the information owner specifies the names or job functions of persons who have the right to access that information.
Information classified as “Internal Use” must be accompanied by a list of authorized persons only if individuals outside the organization will have access to the document.
Information and information system owners must review the confidentiality level of their information assets every five years and assess whether the confidentiality level should be changed. Wherever possible, confidentiality levels should be lowered.
For cloud-based software services provided to customers, system owners under the organization’s control must also review the confidentiality level of their information systems after service agreement changes or after a customer’s formal notification. Where allowed by service agreements, confidentiality levels should be lowered.
Information must be labeled according to the following:
Paper documents: the confidentiality level is indicated on the top and bottom of each document page; it is also indicated on the front of the cover or envelope carrying such a document as well as on the filing folder in which the document is stored. If a document is not labeled, its default classification is Internal Use.
Electronic documents: the confidentiality level is indicated on the top and bottom of each document page. If a document is not labeled, its default classification is Internal Use.
Information systems: the confidentiality level in applications and databases must be indicated on the system access screen, as well as on the screen when displaying such information.
Electronic mail/Email: the confidentiality level is indicated in the first line of the email body. If it is not labeled, its default classification is “Internal Use”.
Information transmitted orally: the confidentiality level should be mentioned before discussing information during face-to-face communication, by telephone, or any other means of oral communication.
All persons accessing classified information must follow the guidelines listed in Appendix A, “Handling of Classified Information.”
All persons accessing classified information must complete and submit a Confidentiality Agreement to their immediate supervisor or company point-of-contact. Incidents related to the improper handling of classified information must be reported in accordance with the Security Incident Management Policy (Reference 2).
Appendix A: Handling of Classified Information
Information and information systems must be handled according to the following guidelines:
Paper Documents
Internal Use
Only authorized persons may have access.
If sent outside the organization, the document must be sent as registered mail.
Documents may only be kept in rooms without public access.
Documents must be removed expeditiously from printers.
Restricted
The document must be stored securely in a locked cabinet.
Documents may be transferred within and outside the organization only in a closed envelope.
If sent outside the organization, the document must be mailed with a return receipt service.
Documents must immediately be removed from printers and fax machines.
Only the document owner may copy the document.
Only the document owner may destroy the document.
Confidential
The document must be stored in a safe.
The document may be transferred within and outside the organization only by a trustworthy person in a closed and sealed envelope.
Electronic Documents
Internal Use
Only authorized persons may have access.
When documents are exchanged via unencrypted file sharing services such as FTP, they must be password protected
Access to the information system where the document is stored must be protected by a strong password.
Restricted
Only persons with authorization for this document may access the part of the information system where this document is stored.
When documents are exchanged via file sharing services of any type, they must be encrypted.
Only the document owner may erase the document.
Confidential
The document must be stored in encrypted form.
The document may be stored only on servers which are controlled by the organization.
The document may only be shared via file sharing services that are encrypted such as HTTPS and SSH. Further, the document must be encrypted and protected with a string password when transferred.
Information Systems
Internal Use
Only authorized persons may have access.
Access to the information system must be protected by a strong password.
The information system may be only located in rooms with controlled physical access.
Restricted
Users must log out of the information system if they have temporarily or permanently left the workplace.
Data must be securely deleted.
Confidential
Access to the information system must be controlled through multi-factor authentication (MFA).
The information system may only be installed on servers controlled by the organization.
The information system may only be located in rooms with controlled physical access and identity control of people accessing the room.
Electronic Mail
Internal Use
Only authorized persons may have access.
The sender must carefully check the recipient.
All rules stated under “information systems” apply.
Restricted
Email must be encrypted if sent outside the organization.
Confidential
Email must be encrypted.
Information Transmitted Orally
Internal Use
Only authorized persons may have access to information.
Unauthorized persons must not be present in the room when the information is communicated.
Restricted
The room must be sound-proof.
The conversation must not be recorded.
Confidential
Conversation conducted through electronic means must be encrypted.
No transcript of the conversation may be kept.
In this document, controls are implemented cumulatively, meaning that controls for any confidentiality level imply the implementation of controls defined for lower confidentiality levels - if stricter controls are prescribed for a higher confidentiality level, then only such controls are implemented.
Standard Controls Satisfied
TSC CC9.9